IT bugs out over IIS security
For Brooks Martin, patching and
maintaining his Microsoft IIS Web servers is
almost a full-time job. With so many
vulnerabilities—and with a new patch appearing
seemingly every week—Martin said it’s a
struggle keeping his head above water. “We stay
on top of what we do, but you never know,” said
Martin, CEO of isObject, an independent
software developer in Brentwood, Tenn.
“Maintaining IIS servers is a cumbersome,
tedious process. Any time you bring a new
server online, you have to apply 40 or 50
patches.”
MARTIN AND HIS staff were spending so much time
dealing with the security of their Internet Information
Services servers that Martin installed an add-on program
designed to harden IIS boxes against a growing list of bugs.
(MSNBC is a Microsoft-NBC joint venture.)
An increasing number of IIS users have grown weary
of the nonstop flood of security problems that have plagued
Microsoft’s widely deployed Web server. Since the
beginning of last year, Microsoft has issued 21 security
bulletins for IIS 5.0 alone, a number that is increasing at the
rate of about one every three weeks. In fact, vulnerabilities
in the Web server have become so commonplace that some
security administrators joke that IIS stands for “It Isn’t
Secure.”
Security consultancy @Stake Inc. estimates that IIS
holds 25 percent of the market for enterprise Web servers,
yet more than 50 percent of the Web sites listed on the
Attrition.org archive of defaced sites are running IIS.
Despite the widespread perception of IIS as a
nonsecure server, many customers say that, because it is the
default Web server with Windows NT and Windows 2000,
it will remain their server of choice because they are too
committed to Microsoft to make a switch practical or
affordable. In real-world terms, this means large portions of
the Internet will remain vulnerable as long as this attitude
prevails.
“I would switch if I could convince my company to do
it,” said Jeff Nelson, network manager at Cleveland Motion
Controls Inc., in Cleveland, and an IIS user. “It’s hard to
find good Unix security guys, though. But [Microsoft’s] new
licensing policies do make dumping them a lot more
attractive.”
Many of the
vulnerabilities in IIS are
routine flaws that can be
used to crash or hang
the server. But a
growing number of the
flaws are serious
problems that enable
attackers to control the
server. Among recent
examples is a flaw in the
ISAPI extension that is
installed by default as
part of the Indexing
Server. By exploiting an
unchecked buffer, an
attacker can conduct a
buffer overflow attack,
gain control of the server and execute arbitrary commands.
IT managers and security specialists have long been
leery of IIS’ security, but, like Martin, they have stuck with
it for convenience and fiscal reasons. However, the recent
flood of problems and the increased attention to privacy and
security in today’s marketplace have led some, including
Nelson, to reconsider their positions.
The problem, users said, isn’t just that IIS seems to be
more prone to security problems than competing Web
servers such as iPlanet and open-source darling Apache.
(For more on Apache, click here.) The real issue is the
perception that Microsoft officials know there’s a problem
but refuse to take any meaningful steps to rectify it.
“Who knows why they do what they do?” Martin
asked. “They don’t take people like us seriously.”
This, Microsoft officials insisted, is not the case. They
acknowledged that IIS has more than its share of
vulnerabilities, but they also pointed out that Microsoft is
one of the few vendors that issues security bulletins and
patches as soon as a problem is found.
“There is a problem with IIS,” said Scott Culp, security
program manager at Microsoft, in Redmond, Wash.
“We’ve just had too many vulnerabilities affecting IIS,
especially this year. We recognize the need to do a better
job of making it secure.”
Culp points to the last two versions of IIS — 4.0 and
5.0 — as the main sources of trouble.
“In 4.0 and 5.0, IIS installed with more services turned
on by default than most people needed,” he said. The
assumption was that customers would then use the
Microsoft-provided checklists to go through and shut down
the services they didn’t need, such as Internet Printing and
Internet Database Connection. But few customers did so
and thus were left exposed to a wide variety of
vulnerabilities they could have avoided.
SERVER IN FOR AN OVERHAUL
To rectify this issue, Microsoft is overhauling the default
configuration process in IIS 6.0, which is part of the
forthcoming .Net server due this fall.
The configuration process will be driven by a
wizard-style program that will ask the administrator a series
of questions about how he or she plans to use the server.
The answers will determine which services are enabled,
Culp said.
“We’ve been
surprised to find out
how many customers
have unneeded services
turned on,” Culp said.
“A lot of folks don’t
know these things are
there.”
To some IIS users,
this is a big — if belated
— step in the right
direction.
“The problem with
Microsoft is that they try
to be everything to
everyone,” Nelson said.
“They enable everything,
and no one needs all of
those services. It’s really
sad. You don’t have to know anything about hacking to
[break into an IIS server].”
After his company’s network was compromised
recently by a crew of well-known software pirates who
were using a server to store stolen programs, Nelson
disabled more than 20 IIS services.
In what may be a sign of things to come, Microsoft
announced recently a partnership with VeriSign designed to
bolster security. Under terms of the deal, VeriSign will
provide digital certificates for Microsoft’s HailStorm Web
services initiative. In addition, Microsoft will incorporate
VeriSign’s Personal Trust Agent technology into its
Passport Web authentication service.
Microsoft also plans to include existing IIS patches in
any future patch release — a concept known as roll-up
patches — in an effort to placate customers who complain
that it is too time-consuming to install every patch that
comes down the pike.
Many companies perform extensive testing on bug fixes
before installing them, and users said it’s hard to free up the
manpower and resources needed to go through this
process.
While they said they believe that Microsoft is right to
try to simplify the setup process and improve the security of
IIS, many security professionals still say they don’t trust
Microsoft. “None of us feels that Microsoft knows a thing
about security,” said one security specialist, whose
company is gradually migrating from IIS to Apache out of
concern for IIS’ security problems.
Despite this sentiment and a track record that, by
Microsoft’s own admission, is spotty at best, there are
those who say that the company’s mistakes get more
attention simply because of Microsoft’s high profile.
“IIS is a target
because it’s Microsoft
software,” said Chris
Wysopal, research
director at @stake, in
Cambridge, Mass. “Out of the box, the server is very open,
and administrators don’t know they have to tailor it to their
needs. The product has the everything-but-the-kitchen-sink
approach, and there are a lot of opportunities to attack it.”
Culp, Wysopal and others also argue that
administrators make the problems even worse by failing to
use patches in a timely manner even when they’ve been
widely publicized.
“We see a lot of bad configurations out there, and
patches haven’t been installed, which is a big problem,”
Wysopol said.
But that doesn’t refute the argument that, if Microsoft
produced more secure software, administrators wouldn’t
have to spend so much time maintaining it. Or, as one
soon-to-be former IIS user put it when asked why his
company was switching Web servers, “When was the last
time you read about an Apache vulnerability?”
